role-creator
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on shell scripts (
write_role_config.sh,install_role.sh) that perform file system operations likemkdir,cp, andmv. These scripts use user-provided parameters for file paths (--output,--config) without sufficient path validation, potentially allowing the overwriting of arbitrary files. - [DATA_EXFILTRATION]: The script
write_role_config.shallows reading the contents of any file accessible to the agent process via the--developer-instructions-fileargument. This content is then written into a role configuration file, which could expose sensitive information to the agent's context or to other users with access to the configuration directory. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by persisting user-supplied strings into agent configuration files.
- Ingestion points: Arguments such as
--developer-instructions,--description, and--role-namein the configuration and installation scripts. - Boundary markers: Absent. The user-provided content is directly interpolated into TOML files without delimiters or instructions for the subagent to ignore embedded commands.
- Capability inventory: The skill can modify the global agent configuration (
~/.codex/config.toml) and create new executable agent roles with customized instructions and tool access. - Sanitization: The scripts use
tomlqto ensure valid TOML formatting, which prevents syntax-level injection, but there is no validation or filtering of the semantic content provided by the user.
Audit Metadata